Guardian Health LogoGuardian Health
Safe AI Workbench Developer Docs

BAA Management

Configure Business Associate Agreement status to enable Tier 2 PHI processing

What is a BAA?

A Business Associate Agreement (BAA) is a HIPAA-required contract between a Covered Entity (healthcare provider) and a Business Associate (service provider like Safe AI Workbench) that allows the sharing of Protected Health Information (PHI).

Why is a BAA needed?

Without a BAA, Safe AI Workbench can only process de-identified data (Tier 1). A signed BAA enables Tier 2 processing where identifiable PHI can be transmitted to external systems for use cases like FHIR data exchange, patient matching, and insurance claims.

With BAA (Tier 2)

  • ✅ Process identifiable PHI
  • ✅ Transmit to external APIs
  • ✅ Patient matching workflows
  • ✅ FHIR data exchange

Without BAA (Tier 1 Only)

  • ⚠️ PHI must be redacted first
  • ⚠️ De-identified data only
  • ⚠️ Limited external transmission
  • ⚠️ No patient identifiers

Accessing BAA Management

BAA management is available in the System Admin area (site admin access required).

1

Navigate to System Settings

Click on your profile menu → System Admin

2

Go to Compliance Section

In the left sidebar, navigate to ComplianceBAA Status

3

Configure BAA Settings

Enter BAA details, upload signed agreement, and enable Tier 2 processing

🔒 Admin Only: BAA configuration requires site admin permissions. Contact your organization administrator if you don't have access.

Configuring BAA Status

The BAA configuration form requires the following information:

BAA Signed

Toggle to indicate whether a Business Associate Agreement has been signed with Safe AI Workbench.

Signed Date & Expiration Date

Enter when the BAA was signed and when it expires. The system will display warnings 30 days before expiration and block Tier 2 processing after expiration.

BAA Provider Name

Name of the BAA provider (typically "Safe AI Workbench" or your specific vendor contact).

BAA Document URL

Optional URL to the signed BAA document (can be link to SharePoint, Google Drive, or document management system).

Enable Tier 2 Processing

Master toggle to enable Tier 2 PHI processing. This is separate from BAA signed status to allow for administrative control even when BAA is in place.

PHI Processing Acknowledgment

Before Tier 2 processing can begin, an authorized user must acknowledge understanding of PHI processing responsibilities.

Acknowledgment Statement:

"I acknowledge that by enabling Tier 2 processing, our organization will transmit Protected Health Information (PHI) to Safe AI Workbench and configured external API endpoints. I confirm that:
  • A valid Business Associate Agreement is in place
  • Our organization has reviewed and approved this data sharing
  • We understand our obligations under HIPAA
  • We will maintain appropriate safeguards for PHI
"
1

Click "Acknowledge PHI Processing"

Button appears after enabling Tier 2 processing

2

Review Acknowledgment Statement

Read the full attestation in the modal dialog

3

Enter Attestation Text

Type "I acknowledge" to confirm understanding

4

Submit Acknowledgment

User ID and timestamp recorded in audit log

⚠️ Required: Tier 2 workflows will not execute until this acknowledgment is completed, even if BAA is signed and Tier 2 is enabled.

Tier 2 Eligibility Check

The BAA status page shows real-time eligibility for Tier 2 processing based on all requirements.

Eligibility Requirements:

BAA must be signed
BAA must not be expired (expiration date in future)
Tier 2 processing must be enabled
Customer must have acknowledged PHI processing

Eligibility Status Indicators:

Eligible for Tier 2

All requirements met. Tier 2 workflows can execute.

Not Eligible

One or more requirements not met. See status message for details.

Expiration Warnings

The system automatically monitors BAA expiration dates and displays warnings to prevent lapse.

30-Day Warning

Alert appears when BAA expires within 30 days. Begin renewal process immediately.

7-Day Critical Warning

Urgent alert when BAA expires within 7 days. Contact vendor to expedite renewal.

Expired BAA

Tier 2 processing automatically blocked when BAA expires. All Tier 2 workflows will fail at compliance gate.

📅 Best Practice: Set a calendar reminder 60 days before expiration to begin BAA renewal process with ample time for contract review.

Workflow Compliance Gate

Tier 2 workflows include a "Compliance Gate" step that validates BAA status before processing PHI.

// Compliance Gate Configuration
{
  "stepType": "compliance_gate",
  "checks": [
    "baa_signed",
    "baa_not_expired",
    "tier2_enabled"
  ],
  "blockOnFailure": true
}

Gate Behavior:

All Checks Pass

Workflow continues to next step

Any Check Fails

Workflow terminates immediately with error message specifying failure reason

🛑 Automatic Blocking: Compliance gate failures prevent PHI transmission. No manual intervention needed - the system enforces HIPAA compliance automatically.

Audit & Compliance Logging

All BAA configuration changes and Tier 2 processing activities are logged for audit compliance.

BAA Status Changes

Logged with user ID, timestamp, and changed fields

Tier 2 Enable/Disable

Recorded with administrative user who made the change

Acknowledgment Records

Attestation text, user ID, and timestamp permanently stored

Compliance Gate Results

Every gate check logged in workflow execution record

Next Steps

PDF Workflows

Learn about Tier 1 and Tier 2 workflow processing options

API Endpoint Config

Configure external API endpoints for Tier 2 data transmission

Configure BAA

Go to BAA management page (admin access required)